search

florianutz / Ubuntu1804-CIS

Ubuntu CIS Hardening Ansible Role
MIT License
212 stars 127 forks source link

Ubuntu1804-CIS : sysctl flush ipv6 route table fails when playbook invoked twice in a row (reboot of the target box between the two) on a fresh 18.04.4 distro #77

Open SSSSeb opened 4 years ago

SSSSeb commented 4 years ago

Describe the bug

I followed the documentation and used all default settings and used the master branch at commit 918ee304c1e61718224a166a0bf9e19afdc2c131. I ran the full playbook using ansible-playbook site.yml on a freshly installed 18.04.4 ubuntu distro on one system (called n0002)...

The problem is that running the playbook once works but not twice:

To Reproduce Steps to reproduce the behavior:

  1. Install ubuntu18.04.4 on a new server
  2. Run ansible-playbook site.yml => success... i.e. with default settings the full playbook pass:
n0002                      : ok=278  changed=131  unreachable=0    failed=0    skipped=110  rescued=0    ignored=0
  1. reboot the box (because 131 changes were done, so to be sure...)
  2. try again to apply the playbook using ansible-playbook site.yml again
  3. playbook goes smoothly until reaching step " sysctl flush ipv6 route table " 
    
RUNNING HANDLER [Ubuntu1804-CIS : sysctl flush ipv6 route table] ***************************************************************
fatal: [n0002]: FAILED! => {"changed": false, "msg": "Failed to reload sysctl: kernel.randomize_va_space = 2\nfs.suid_dumpable = 0\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\nnet.ipv4.ip_forward = 0\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.all.secure_redirects = 0\nnet.ipv4.conf.default.secure_redirects = 0\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\nnet.ipv4.icmp_ignore_bogus_error_responses = 1\nnet.ipv4.conf.all.rp_filter = 1\nnet.ipv4.conf.default.rp_filter = 1\nnet.ipv4.tcp_syncookies = 1\nnet.ipv4.route.flush = 1\nsysctl: cannot stat /proc/sys/net/ipv6/conf/all/forwarding: No such file or directory\nsysctl: cannot stat /proc/sys/net/ipv6/conf/all/accept_source_route: No such file or directory\nsysctl: cannot stat /proc/sys/net/ipv6/conf/default/accept_source_route: No such file or directory\nsysctl: cannot stat /proc/sys/net/ipv6/conf/all/accept_redirects: No such file or directory\nsysctl: cannot stat /proc/sys/net/ipv6/conf/default/accept_redirects: No such file or directory\nsysctl: cannot stat /proc/sys/net/ipv6/conf/all/accept_ra: No such file or directory\nsysctl: cannot stat /proc/sys/net/ipv6/conf/default/accept_ra: No such file or directory\nsysctl: cannot stat /proc/sys/net/ipv6/route/flush: No such file or directory\n"}

**Expected behavior**

I was thinking the playbook should be able to always apply even after a reboot and/or could be regularly reused against the server to check for compliance

**Software:**
 - Ansible Version: 2.9.10
 - Role/Repo Version master @ 918ee304c1e61718224a166a0bf9e19afdc2c131

**Additional context**

I logged on the server just after and confirm sysctl -p does not work anymore due to ipv6 "problems"

```bash
root@n0002:~# sysctl -p
kernel.randomize_va_space = 2
fs.suid_dumpable = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.ip_forward = 0
sysctl: cannot stat /proc/sys/net/ipv6/conf/all/forwarding: No such file or directory
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
sysctl: cannot stat /proc/sys/net/ipv6/conf/all/accept_source_route: No such file or directory
sysctl: cannot stat /proc/sys/net/ipv6/conf/default/accept_source_route: No such file or directory
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
sysctl: cannot stat /proc/sys/net/ipv6/conf/all/accept_redirects: No such file or directory
sysctl: cannot stat /proc/sys/net/ipv6/conf/default/accept_redirects: No such file or directory
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_syncookies = 1
sysctl: cannot stat /proc/sys/net/ipv6/conf/all/accept_ra: No such file or directory
sysctl: cannot stat /proc/sys/net/ipv6/conf/default/accept_ra: No such file or directory
sysctl: cannot stat /proc/sys/net/ipv6/route/flush: No such file or directory
net.ipv4.route.flush = 1
JimKlapwijk commented 4 years ago

This happens due to 3.7 which disables IPv6. This removes the directory /proc/sys/net/ipv6 causing sysctl unable to set the parameters. My suggestion would be to skip 3.7 for now.

@florianutz I'm not sure what the best solution would be in this case. Add a variable in defaults/main.yml which sets IPv6 disabled, and based on that we can either completely disable IPv6 OR set the sysctl parameters?

SSSSeb commented 4 years ago

thanks a lot for your comment, this what I did already. I can help fixing if the plan is clear/understood.